Correct fortification or how to determine the role of NGFW in the network

the agenda is to choose a firewall system to protect the corporate network. The task is not trivial, as there are many vendors on the market advertising their product and offering technical specifications with attractive performance indicators in different conditions. In addition, there are many materials and videos from recognized experts on the Internet who delve into the essence of the problem and explain deeper technologies. This article is intended to describe the main roles without a deep and theoretical description of firewall technology at the operating system kernel level. Practice shows that in general, most specialists of small and medium-sized enterprises (up to 1500 users) at the initial stage of choosing a firewall system do not have a complete and structured understanding of all the functional capabilities of the firewall system, especially protection modules, the intricacies of the technology of each vendor, which sometimes may not work effectively in certain conditions. If you delve into the essence of performance and try to choose a solution without a pilot test, you need to take into account a bunch of traffic metrics, its type, which in real conditions are difficult to obtain from the working infrastructure or create close to reality in a test environment. Moreover, you need skills and specialized tools that can perform load testing on a hardware solution, while free solutions cannot cover the full functionality, and commercial ones are expensive. Therefore, at the beginning of the selection path, in my opinion, it is necessary to look at the functional capabilities of the system based on its role in the Customer's infrastructure. A firewall can play the following roles:

Network core

The firewall is the central router of the network, which works with traffic starting from the network layer (3 OSI model) and transmits it between subnets within the corporate network. This role should be considered if much attention is paid to building network security based on dividing the network into segments, between which traffic must be checked for threats and malicious content according to global standards and practices. In modern realities, a level 5 OSI model firewall is not enough for these tasks, since several protocols and network applications can operate within one network port, which must be able to identify, separate, inspect the content and take preventive actions automatically in the event of a security incident. The necessary functions include:

• Clustering. The cluster building technology should support various operating modes, be able to balance traffic and support high availability functionality (if one node fails, all traffic is processed by the second). If traffic needs to be balanced, then how it will be done, how effective the performance gain will be, whether all traffic or only certain traffic will be balanced.

• Physical ports. The type and number of ports should be taken into account based on the physical topology of the network to build traffic transmission in the network without errors and at an available high speed.

• Fault tolerance of network ports (support for aggregation protocols, creation of "bond" interfaces) and power.

• Routing technologies. It will not be superfluous if the system can support a wide range of dynamic routing technologies, such as BGP, IS-IS, RIP, OSPF, as well as various options for configuring static routing.

• Security modules. It will be a good plus if the system has an extensive and suitable for your infrastructure signature base of the intrusion prevention module, antivirus, application control, file type control, zero-day attack emulation systems.

Network perimeter protection

The firewall system is used for secure traffic transmission between internal clients of the corporate network, DMZ, and the Internet. In this case, the load on the device will be lower, as the traffic transmission channels of Internet providers have lower bandwidth than internal traffic. The following useful functions can be highlighted:

• Network technologies SD-WAN, Policy base routing (PBR), provider channel redundancy for efficient traffic distribution and VPN tunnel construction.

• Dynamic routing. Dynamic routing technologies BGP, IS-IS for connecting to multiple routers and routing traffic at the Internet network level or autonomous network segments.

• NAT technology. The ability to flexibly configure different types of NAT technology (dynamic, static, port forwarding, etc.).

• Security functions. May include web filtering of Internet resources based on a site categorization list, site content, network application categorization, file emulation systems, file type transfer control, antivirus, SSL traffic inspection in various configuration modes (deep inspection, certificate verification, SNI, etc.).

• It would be useful if the system can act as an MTA agent for analyzing mail traffic and using the "antispam" protection module. In this case, there will be a guarantee of mail traffic delivery regardless of the traffic analysis time, as the technology allows maintaining a session with the mail server until the content check is completed, and effective cleaning or blocking of malicious content occurs, which a regular firewall might miss.

VPN concentrator

Based on the construction of secure tunnels with data encryption between branches/offices of the company and remote clients. Here, the following functions should be noted:

• Centralized tunnel management. A convenient tool that allows centralized VPN connection building and policy application from a single control point with a few "clicks", without connecting to each gateway separately to configure VPN. The centralized tool allows for the selection and construction of connection topologies (star with mandatory traffic passing through the center or "mesh", where everyone connects to each other), tunnel types (e.g., host to host, subnet to subnet, gateway to gateway), and flexible policy application to firewalls in different branches.

• Support for a wide range of IPSec and ESP protocols. It is also important to support IPSec, ESP technology, the IKE version 1 (for compatibility with legacy devices) and version 2 (enhanced data protection) secure negotiation and delivery protocol. The ability to choose from a wide range of encryption algorithms, including modern cryptographically strong algorithms (AES 256 and above) and hash algorithms resistant to data collisions (SHA-1,2)

• Multi-platform software for remote VPN clients. If it is necessary to connect via a VPN tunnel for individual clients located in a non-corporate network, attention should be paid to the support of the VPN client application on different operating systems. At the moment, the issue is becoming more and more relevant, as in addition to using standard workstations running the "Microsoft Windows" family of operating systems, devices with "MAC OS" and mobile devices with "Android" and "IOS" are used. Despite manufacturers' assurances that all popular operating systems are supported, the mobile client with the current version may not work on all devices at a given time. Problems are especially observed with "IOS" systems, testing is necessary. In addition to this problem, the client must support cryptographically strong encryption algorithms, VPN tunnel construction protocols similar to the previous point.

• Support for different types of VPN connections for remote clients. Support for VPN client technologies IPSec and SSLVPN for the ability to work the tunnel through the "HTTPS" protocol. The ability to build tunnels only to certain applications/resources of the corporate network through a browser without installing an additional client. This functionality is convenient, especially for mobile devices, but attention should be paid to the security of using this solution (the portal for VPN connections may have a number of vulnerabilities and pose a risk of network hacking)

The main roles were listed above in my opinion, this example may contain more points and information based on experience and imagination. In general, manufacturers divide the functional role into perimeter protection (north-south traffic) of the network and data center (east-west traffic), which is sometimes unclear to the end user and does not have an extensive description of suitable functional capabilities for this type. I hope the article was useful for you, leave feedback and new ones on similar topics will appear in the future.